Podcasts
CyberWire Daily
Ep 2478
The CyberWire Daily Podcast 1.29.26
Ep 2478 | 1.29.26

Proxy wars and open doors.

Show Notes
Transcript

Google dismantles a huge residential proxy network. Did the FBI take down the notorious RAMP cybercrime forum? A long running North Korea backed cyber operation has splintered into three specialized threat groups. U.S. military cyber operators carried out a covert operation to disrupt Russian troll networks ahead of the 2024 elections. Phishing campaigns target journalists using the Signal app. SolarWinds patches vulnerabilities in its Web Help Desk product. Amazon found CSAM in its AI training data. Initial access brokers switch up their preferred bot. China executes scam center kingpins. Our guest is Tom Pace, CEO of NetRise, explaining how open-source vulnerabilities are opening doors for nation-states. An unsecured webcam peers into Pyongyang. 

Today is Thursday January 29th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google dismantles a huge residential proxy network. 

Google and its partners have launched a coordinated operation to dismantle IPIDEA, a residential proxy network security experts describe as one of the largest of its kind. The service routes internet traffic through millions of everyday consumer devices worldwide, allowing attackers to blend malicious activity into normal user traffic. According to analysts at Google Cloud, this infrastructure has been widely abused by criminal and nation state groups to support cyberattacks, espionage, and data theft.

IPIDEA operates by embedding hidden software development kits, or SDKs, into legitimate looking apps such as games and utilities. Once installed, these SDKs quietly turn user devices into proxy exit nodes without clear consent. Google reports that in a single seven day period in January 2026, more than 550 tracked threat groups relied on IPIDEA nodes for activities including business system access and password spraying. Enforcement actions, supported by partners like Cloudflare, disrupted core infrastructure and removed millions of infected devices, though experts warn similar networks continue to grow.

Did the FBI take down the notorious RAMP cybercrime forum?

The notorious RAMP cybercrime forum, widely used by ransomware groups and initial access brokers, appears to have been seized by the Federal Bureau of Investigation, after its websites were replaced with an FBI seizure notice. The U.S. Department of Justice has not confirmed the action publicly, prompting some skepticism given past exit scams in the cybercrime ecosystem. DNS records reportedly showed RAMP redirecting to an FBI-controlled domain, though the notice lacks international partner logos typically seen in coordinated takedowns.

RAMP served Russian, Chinese, and English-speaking criminals and was previously administered by Mikhail Matveev, before control reportedly passed to a hacker known as Stallman, who now claims law enforcement has taken over the forum. Former U.S. intelligence official Laura Galante said such disruptions are intended to fragment cybercrime markets, making them less stable and harder for dominant groups to emerge.

A long running North Korea backed cyber operation has splintered into three specialized threat groups. 

CrowdStrike reports that a long running North Korea backed cyber operation has splintered into three specialized threat groups, reflecting a more mature and bureaucratic structure. The original group, dubbed Labyrinth Chollima, now focuses primarily on espionage, targeting manufacturing, logistics, defense, and aerospace organizations in Europe and the United States. Two offshoots, Golden Chollima and Pressure Chollima, concentrate on cryptocurrency theft to generate revenue for the regime.

According to CrowdStrike, Pressure Chollima carried out last year’s record $1.46 billion crypto theft and is among North Korea’s most technically advanced actors. The groups share infrastructure and lineage with the broader Lazarus Group, indicating centralized coordination. CrowdStrike says the continued diversification allows Pyongyang to expand cyber operations while funding them under the pressure of international sanctions.

U.S. military cyber operators carried out a covert operation to disrupt Russian troll networks ahead of the 2024 elections. 

CNN reports that weeks before the 2024 election, U.S. military cyber operators carried out a covert operation to disrupt Russian troll networks targeting American voters, according to sources briefed on the effort. From U.S. Cyber Command, hackers interfered with servers and personnel linked to Russian firms spreading fabricated news aimed at swing states, particularly attacking politicians supportive of Ukraine. One source said the operation slowed, but did not stop, the activity.

The action was part of a broader, multi agency push involving the Federal Bureau of Investigation and the Department of Homeland Security to blunt foreign election interference. However, under President Donald Trump’s second administration, many election security and counter influence programs have since been cut or dismantled. Current and former officials warn those reductions have weakened the federal response just as Russia, China, and Iran continue to refine influence operations, raising concerns ahead of the 2026 midterms.

Phishing campaigns target journalists using the Signal app. 

Journalists and civil society figures in Germany and elsewhere in Europe are being targeted by a sustained phishing campaign abusing the Signal messaging app, according to reporting by netzpolitik.org. The attacks impersonate “Signal Support,” warning recipients of suspicious activity and urging them to share a verification code. Security experts say the campaign appears highly targeted, focusing on journalists, lawyers, politicians, and activists, and may be spreading through stolen address book data.

According to Amnesty International, the campaign is active, though it remains unclear how many victims were compromised. If users share both the verification code and their Signal PIN, attackers can take over accounts, lock out legitimate users, and access contacts and group memberships, potentially exposing sources and networks. Signal says the attacks do not exploit flaws in its software and stresses it never contacts users via in-app chats, urging users to enable registration lock and never share codes or PINs.

Signal Foundation president Meredith Whittaker warned that artificial intelligence agents embedded in operating systems are undermining the real-world protections of end-to-end encryption. Speaking to Bloomberg at the World Economic Forum in Davos, Whittaker said encryption remains mathematically sound, but AI assistants often require broad system access that exposes decrypted messages. She cited research showing misconfigured AI agent tools linked to Signal accounts, allowing plaintext message access, and argued that encryption cannot compensate for near–root-level access by AI systems.

SolarWinds patches vulnerabilities in its Web Help Desk product. 

SolarWinds has released patches for six vulnerabilities in its Web Help Desk product, including four critical flaws with CVSS scores of 9.8. The most severe, CVE-2025-40551, is an unauthenticated deserialization bug that could enable remote code execution, according to researchers at Horizon3.ai. Three additional critical issues include another deserialization flaw and two authentication bypass bugs, researchers say. Two high-severity issues involve security control bypass and hardcoded credentials. All flaws are fixed in Web Help Desk version 2026.1, and SolarWinds urges organizations to update promptly.

Amazon found CSAM in its AI training data. 

Amazon reported hundreds of thousands of suspected child sexual abuse material, or CSAM, discoveries last year while scanning data used to train its artificial intelligence models, according to reporting by Bloomberg. The material was removed before training, but officials at the National Center for Missing and Exploited Children say Amazon provided little detail about the content’s origin, limiting law enforcement’s ability to identify perpetrators or protect victims. NCMEC says AI-related CSAM reports surged more than fifteenfold in 2025, with Amazon accounting for the vast majority.

Amazon says the data came from external sources and was flagged through automated scanning, using deliberately over-inclusive thresholds that may produce false positives. Child safety experts warn the findings highlight risks in rapidly assembling large AI training datasets without sufficient safeguards or transparency.

Initial access brokers switch up their preferred bot. 

Researchers at Proofpoint report that prolific initial access broker TA584 has escalated operations by deploying Tsundere Bot alongside the XWorm remote access trojan, activity that could enable follow-on ransomware attacks. Proofpoint has tracked TA584 since 2020 and says its campaign volume tripled in late 2025, expanding beyond North America and the UK into Europe and Australia.

The attack chain relies on phishing emails sent from compromised accounts via services like SendGrid and Amazon SES. Victims are funneled through CAPTCHA and ClickFix pages that prompt them to run PowerShell commands, loading malware directly into memory. Tsundere Bot, first documented by Kaspersky, supports data theft, lateral movement, and payload delivery. Proofpoint assesses with high confidence that these infections could ultimately lead to ransomware deployment.

China executes scam center kingpins. 

China has executed 11 people linked to cyber scam centers operating in Myanmar, according to state media. The individuals, described as core members of the Ming family criminal gang, were convicted of fraud, running illegal casinos, and intentional homicide. Authorities say the syndicate handled more than $1.4 billion in illicit funds and was tied to multiple deaths. The executions come amid broader regional crackdowns on scam operations, which the United Nations Office on Drugs and Crime says are expanding across Southeast Asia and often involve human trafficking.

 

 

 

An unsecured webcam peers into Pyongyang. 

Our turnabout is fair play desk tells us a North Korean hacking unit reportedly got hacked itself. A YouTuber chasing online scammers stumbled into a military computer and, via webcam, caught everyday scenes of uniformed North Korean soldiers at work, polishing boots, typing code, swatting mosquitoes. Location data placed them near Pyongyang, despite VPNs pretending they were abroad. Awkward.

The footage feeds a familiar story. Investigators like the Federal Bureau of Investigation often blame North Korea for cybercrime, and here the soldiers were, moonlighting as remote developers on LinkedIn. With help from tools like ChatGPT, they landed jobs, collected salaries for the regime, and sometimes graduated to data theft and ransomware.

The same playbook has fueled major crypto heists, including the Bybit hack, and ad-driven malware campaigns abusing platforms like Google and Naver. The humor fades at the punchline: cybercrime is estimated to fund a significant slice of Pyongyang’s economy, and AI is making the whole operation faster, cheaper, and harder to spot.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.